The device is called OwnStar and it’s the creation of Samy Kamkar, a security researcher and hardware hacker who makes a habit of finding clever ways around the security of various systems, including garage doors, wireless keyboards, and drones. His newest creation essentially allows him to take remote control of users’ vehicles simply by sending a few special packets to the OnStar service. The attack is a car thief’s dream.

Kamkar said that by standing near a user who has the RemoteLink mobile app open, he can use the OwnStar device to intercept requests from the app to the OnStar service. He can then take over control of the functions that RemoteLink handles, including unlocking and remotely starting the vehicle.

Trailrunner7 writes: The accumulation of automation and Internet-connected devices in many homes these days has led observers to coin the term smart homes. But as researchers take a closer look at the security of these devices, they’re finding that what these homes really are is naive.

The latest batch vulnerabilities to hit home automation equipment are in the Tuxedo Touch controller made by Honeywell, a device that’s designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet and researcher Maxim Rupp discovered that there are two vulnerabilities in the Tuxedo Touch that could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.

Trailrunner7 writes: In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits nd vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings with Hacking Team were exposed. But now there’s a new entrant in the field, Zerodium, and there are some familiar names behind it.

The company is affiliated with VUPEN, a vulnerability and exploit broker that often is at the center of discussions about the legality and ethics of such businesses. VUPEN, run by researcher Chaouki Bekrar, is one of the rare companies in that field that does all of its own research and development; it does not buy vulnerabilities or exploits form outside sources. But now, at a time when there has never been more attention from lawmakers, media, and governments, Bekrar has created a new venture that will wade fully into the purchase bugs and exploits.

Zerodium plans to focus exclusively on buying high-risk vulnerabilities, leaving aside the lower end of the spectrum. The company will use the vulnerabilities it acquires to make up a feed of vulnerabilities, exploits, and defensive measures, that it provides to customers.

Trailrunner7 writes: As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren’t enough for organizations to deal with, HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution.

Each of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.

The oldest vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.

The new statement from Hacking Team comes after two weeks of stories resulting from the compromise of the company’s network earlier this month. The Hacking Team breach was devastating, involving the release of 400 GB of data stolen from the company’s system, including emails, customer invoices, and some of the source code for the hacking Team Remote Control System platform. Some of the more damaging information to emerge from the cache includes documents showing the company sold its surveillance tools to government agencies in Ethiopia, Syria, Sudan, and other oppressive countries.

“The company has always sold strictly within the law and regulation as it applied at the time any sale was made. That is true of reported sales to Ethiopia, Sudan, Russia, South Korea and all other countries,” a statement from the company released Wednesday says.

Marietje Schaake, a Dutch member of the European Union Parliament who has been critical of Hacking Team and other companies that deal in exploits and intrusion software, said Wednesday on Twitter that perhaps laws need to be changed to deal with such sales.

“If #hackingteam acted legally, we must update laws but companies always have choice to act ethically and morally,” she wrote.

Among the revelations in the cache of documents leaked after the attack on HackingTeam was information about Netragard selling an exploit to the Italian maker of intrusion and surveillance software. The HackingTeam documents also showed that the company sold its products to a variety of customers associated with oppressive regimes, including Egypt and Ethiopia. In the last, HackingTeam officials had denied that they dealt with such customers, but the leaked emails and other documents from the attack earlier this month showed otherwise.

Now, CEO Adriel Desautels said the company has decided to end its exploit acquisition program altogether due to the ethical and political issues it involves.

We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it,” he said in a blog post over the weekend.

schwit1 writes: The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.

Much of their concern rests with the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changedâ"once they are hacked, they're hacked for good. And government officials have less understanding about what adversaries could do or want to do with fingerprints, a knowledge gap that undergirds just how frightening many view the mass lifting of them from OPM.

"It's probably the biggest counterintelligence threat in my lifetime," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency and now an executive vice president at the cybersecurity company Darktrace. "There's no situation we've had like this before, the compromise of our fingerprints. And it doesn't have any easy remedy or fix in the world of intelligence."Link to Original Source

The move is a temporary one as Adobe prepares to patch two vulnerabilities in Flash that were discovered as a result of the HackingTeam document dump last week. Both vulnerabilities are use-after-free bugs that can be used to gain remote code execution. One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash.

Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there’s a module for it in the Metasploit Framework, as well.

Trailrunner7 writes: The ever-expanding data breach at the Office of Personnel Management has now spread to include the Social Security numbers and other personal data of a total of 21.5 million people, and the toll also now includes the agency’s director, Katherine Archuleta, who resigned Friday morning.

Archuleta had been under an increasing amount of pressure ever since the hack came to light last month. Legislators last month took Archuleta and CIO Donna Seymour to task for not addressing security deficiencies and failing to implement controls such as database encryption and two-factor authentication agency wide. Archuleta said during the hearing before the House Committee on Oversight Government Reform that protecting users was her highest priority.

“You have completely and utterly failed, if that was your mission,” Rep. Jason Chaffetz (R-Utah) said during the hearing.

Archuleta informed President Barack Obama on Friday that she was resigning.

The bug was reported two weeks ago to the OpenSSL project by Google researcher Adam Langley and BoringSSL’s David Benjamin, and affects only OpenSSL 1.0.1 and 1.0.2.

“It’s a bad bug, but only affects anyone who installed the release from June,” said Rich Salz, a member of the OpenSSL development team. The bug was introduced during that update and affected relatively few organizations. “It’s a bad bug, but the impact is low. We haven’t heard any reports of it being used in production.”

The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic.

Trailrunner7 writes: It has been absolutely brutal week for Hacking Team. All of the company’s documents, internal communications, emails with customers, and invoices have been published, including its dealings with oppressive regimes and customers in sanctioned countries. But even with all that, company officials said they have no plans to cease operations, even as they’re asking customers to stop using their surveillance products for the time being.

“Of course, but we have recommended that clients suspend surveillance while we make upgrades,” Hacking Team spokesman Eric Rabe said in an email.

Rabe also said that Hacking Team is worried that the release of the source code of its Remote Control System will allow "terrorists" to deploy the system.

“Before the attack, HackingTeam could control who had access to the technology that was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation.”

Marietje Schaake, a Dutch member of the European Union Parliament, expressed concern over many of the details of Hacking Team’s business that were revealed in the huge dump of documents on Sunday. Specifically, Schaake was worried about contracts and invoices that show the company sold its Remote Control System intrusion software to customers in countries that are under EU sanctions. Some of the documents released after the hack of Hacking Team show that the Italian company sold its software to government agencies in countries such as Sudan, Egypt, and Ethiopia, which are considered repressive regimes.

“The company claims that their product not only relays what is happening on a target’s computer, but also enables surveillance of anything occurring within the range of the computer’s internal camera or microphone. This is extremely problematic when it comes to the human rights of internet users in Sudan. In fact, it seems this sale to Sudan would not only constitute a violation of the UN Sanctions Regime," Schaake said.

Trailrunner7 writes: U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement.

Wilcox last week published his university dissertation, presented earlier this spring for an ethical hacking degree at the University of Northumbria in Newcastle, England. The work expands on existing bypasses for Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), free software that includes a dozen mitigations against memory-based exploits. Microsoft has on more than one occasion recommended use of EMET as a temporary stopgap against publicly available zero-day exploits.

Wilcox’s published dissertation, however, is missing several pages that describe proof-of-concept exploits, including one that completely bypasses a current EMET 5.1 installation running on a fully patched Windows computer. He said last Wednesday in a blogpost that the missing pages and redactions within the text happened partly because of the Wassenaar Arrangement.

“Whilst it has impacted the release of my research it has not impacted my passion and I plan to continue researching such material as and when I feel like, though in an ideal world I would like clearer instructions so I can figure out how to do this appropriately (of which there seems to be some confusion),” Wilcox said in an email to Threatpost.

Trailrunner7 writes: One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.

Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.

The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and potential to it.

Trailrunner7 writes: Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice.

The problem is the result of several conditions on LG phones. Like other manufacturers, LG includes custom apps on its handsets, which are not available through the normal Google Play store. The apps are pre-loaded and have a separate update mechanism that relies on contacting an LG server to download new code. Researchers at Search-Lab in Hungary found that the update process for these apps does not validate the security certificate presented by the server on the other end, opening users up to man-in-the-middle attacks.